hello wouterr. No sure where your post went...
but thank you for your reply.... I currently have a SR open for this. What I am seeing is our internal FW rules (by DNS suffix) are still being used with my home connection. For example, internally we allow incoming pings, outside we do not. Outside vs. inside is determined via DNS suffix. When I take my machine home, I am still able to ping the machine even though my DNS Suffix of the active adapter is not the internal one. I checked the FW logs, and it does look like the internal DNS Suffix rules are being applied even though the active adapter I was using had a different DNS Suffix. I'll post any findings here, as this potential issue will delay our ENS FW rollout.
SR is still open for this as they have been reviewing the logs for a week+ now. I assume its a bug considering they haven't asked me for further information; its been a little frustrating dealing with McAfee's very slow response to this issue.
As we are running a mixed VSE/ENS environment and have to manage firewalls on both types of clients we are using the HIPS firewall together with ENS TP.
Also we have noticed our ENS firewall policies get corrupted if we try to modify a HIPS firewall rule in the catalog. So in short we are using the HIPS FW on all our systems. My previous post was based on this setup (so related to the HIPS FW in stead of ENS FW), that's why i deleted it.
Now in short I also did a little test with the ENS10 FW. I linked a policy with a rule group which is enabled/disabled based on a LAG which checks a specific registry value. I did also notice some inconsistent behaviour, as the rule group did not seem to get activated.
note: in ENS10 you can check the status of the LAG's by enabling the firewall debug logging in the Endpoint Security Common > Options policy.
A LAG group I have is definitely being applied when it should not be. Engineering has been looking at it for the past week. I'm expecting them to tell me its a bug at some point. I'll post here when I finally get clarification what the root issue is.
Not sure if anyone else is using LAG rules with DNS-connection suffix, but there is/has been a bug that is still there in 10.2. Been trying to get them to fix this since June. Its a pretty major bug depending how you are using your LAG rules. Pretty much provides no protection to the endpoint if you are using LAG DNS Suffix rule for internal/external criteria.